3.0 Security Architecture

Data Sovereignty

refers to data being subject to the laws and regulations of the country where it is physically located or stored

crucial for multinational corporations to ensure compliance with varying legal frameworks

VPN

creates secure, encrypted tunnel over the internet

ideal for a security consultant who needs access to a clients environment remotely and securely

IaC (infrastructure as code)

Enables DevOps teams to automate the setup and scaling of their cloud infrastructure making deployment of resources more efficient and less prone to human error

allows organizations to streamline infrastructure changes so that they occur more easily, rapidly, securely, safely, and reliably

foundational systems are set up and overseen using scripts and automated instruments instead of hands on methods

PaaS (Platform as a service)

provides a platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure

Data classifications

first step in data protection

helps identify what needs safeguarding

Tabletop exercise

simulate cyber incidents in a controlled, discussion based format

evaluate the effectiveness of the organizations incident response plan

involves key personnel discussing their roles and responses to a hypothetical scenario

helps identify gaps and areas for improvement without the need for technical assessments or physical testing

Permission Restrictions

allow organizations to control access to specific data based on users roles and privileges

ensures only authorized individuals can access a private customer database

Passive device placement

monitors for data breaches by analyzing and logging traffic without interfering with network operations

IDS

Active device placement

actively modifies or influence the network traffic

can make real time decisions (blocking, redirecting, or modifying traffic)

IPS or Firewall

WAF (web application firewall)

designed to monitor, filter, and block harmful traffic and attacks towards web application (such as SQL and XSS)

operates at application layer

Intellectual Property

encompasses confidential information critical to a companies advantage

such as trade secrets or patents stored in a database

EAP (extensible Authentication Protocol)

provides a standard interface for integrating multiple authentication methods

can be used in various network access scenarios including wireless

provides flexible authentication without requiring changes to the underlying authentication mechanism 

LDAP (lightweight directory access protocol)

used to access directory systems over IP networks

used for directory querying and authentication

RADIUS (remote authentication dial in user service)

a protocol for carrying authentication, authorization, and configuration information between a network access server and a central server

can support EAP as one of its methods

NGFW (next generation firewalls)

goes beyond traditional firewalls by incorporating more advanced features like IPS, application awareness, and deep packet inspection

provides enhanced visibility and can detect advanced threats, making them suitable for contemporary security challenges 

Proxy firewalls

acts as intermediary for requests from users seeking resources from other servers

filters requests at the application layer

does not provide advanced threat detection capabilities

Stateful firewall 

keeps track of the state of active connections and decides on packet allowance based on the context of the traffic 

doesn’t offer deeper visibility and advanced features. 

Responsibility matrix

a document that defines the roles and responsibilities of different parties involved in a cloud service agreement (cloud service provider, the cloud customer, and the cloud user)

clarifies who is accountable for what aspects of security, compliance, and operations in a cloud environment

Continuous backups 

allows near instantaneous backup of changed data

ensures minimal loss during failures, especially crucial for high-volume transactions systems 

SDN (software defined networking)

manages network controls through software

separates the control plane from the data plane, allowing for more flexibility and automation in network management

does not focus on running multiple OSes on a single server

Replication

involves creating copies of data in real time or near real time to another location

ensures data availability even if one location fails and can also aid in load balancing

Differential backups

stores all changes made since last full backup

provides a medium between full and incremental backups but does not provide real time data duplication

Snapshots

captures the state of a system at a specific point in time

offers quick recovery options, they do not involve real time duplication of data

Infrastructure diversification

ensures that organizations are not overly reliant on a single data center, network, or platform

by distributing their assets and systems across multiple locations or platforms, they can significantly reduce the risk of total service disruption if on component fails

RTOS (real time operating system)

prioritizes performance, sometimes at the expense of security features like buffer overflow protections, potentially leaving the system susceptible to certain attacks due to factors like inadequate buffer overflow protections

Layer 4, transport layer

deals with protocols like TCP and UDP and is concerned with port numbers and connection oriented communication

network appliances operating at this layer filter and manage traffic based on source and destination IP addresses, as well as port numbers

Proxy server

sits between a client and destination server, forwarding requests and responses on behalf of the client 

can effectively mask the clients IP address, providing a level of privacy and anonymity 

is not for administrative access but rather to control and optimize internet usage

Jump server

facilitates administrative access to an environment

provides controlled means of access, reducing exposure of the underlying infrastructure

increases security by limiting the routes traffic can take into a system

isnt designed to forward and mask internet requests from clients to destination servers

Serverless architecture

abstracts the infrastructure layer, allowing developers to focus on writing code while the cloud provider manages everything else

allows devs to write and deploy code without concern for the underlying infrastructure because the cloud provider automatically manages the execution, scaling, and networking

SASE (secure access service edge)

combines WAN capabilities with cloud native security functions

does not serve to detect and alert about suspicious activities

Journaling

keeps track of all transactions and changes that occur within a system

this record allows for precise recovery to the moment before the disruption in the even of a crash or failure

SD-WAN (Software defined wide area network)

provides centralized network management, flexible routing, and traffic management capabilities

can be hosted on both on premise and in the cloud, giving it an edge for comprehensive WAN optimization

steganography

data that is embedded in a picture or some other source

Microservices

multiple small services communicating with each other

this inter-service communication can introduce complexities and potential vulnerabilities if not properly secured

typically decoupled from the physical hardware layer and focuses more on application logic

parallel processing 

allows different recovery strategies to be assessed at the same time, enabling faster and more comprehensive analysis of their effectiveness after a breach

can simultaneously asses multiple recovery strategies after a security breach

embedded systems

software is hardcoded into firmware

often lacks the flexibility for timely updates or patches, potentially leaving them vulnerable to undiscovered or unaddressed threats

snowflake systems

unique configurations that can cause drift in platform environments

can result in unpatched vulnerabilities and systems that dont behave as expected due to minor configuration variances

may lead to the need for manual configuration and patch installation

may create instability and lack of security

IPSec (internet protocol security)

a collection of standards that work on the tansport (layer 4) of the OSI model

used to ensure that the data is securely transmitted

commonly used in VPNs, provides authentication and integrity of data as it is transmitted

Data obfuscation 

alters data to make it unreadable but retains its format and structure

ensuring a team can carry out analytics without viewing the actual content 

hashing

transforms data into fixed size representation

a one way functions, not designed to be reversible

Tokenization

replaces sensitive data with non sensitive substitutes (tokens)

secure data but does not provide fixed size representation

in line device

actively evaluates network traffic as it passes through

allows it to reject or modify packets according to predefined security policies

ideal for actively enforcing security rules and blocking malicious traffic in real time

Clustering

involves combining a number of servers into one node

different servers can be assigned different tasks to provide greater fault tolerance

each server can handle one part of a complex website, if one server goes down, the task that the server performs may be unavailable but the rest of the website will still function

Network appliance sensor

passively monitors network traffic, looking for signs of malicious or anomalous activity

wont disrupt regular network operations as it operates in “listen-only” mode

GDPR

governs protection of sensitive personal data referring to specific categories of personal information that could harm an individual if made public

includes but not limited to, religious beliefs, political opinions, trade union membership, gender, sexual orientation, racial or ethnic origin, genetic data, and health information

ICS 

integral to manufacturing and industrial environments, overseeing and controlling processes for accuracy and safety

ensures precision and safety in operations

tap/monitor mode

refers to a device that copies network traffic for analysis without interrupting or altering the data flow

allows admins to monitor and capture traffic in real time for diagnostic or security purposes

resilience

refers to the ability of the system to quickly recover from failures and maintain operational performance

crucial for ensuring availability during adverse conditions

containerization

encapsulates an application with its environment guaranteeing uniform behavior across systems

bundles an application and its environment for consistent behavior across platforms

NDA

legally bind personnel to confidentiality and secure handling of proprietary data

prevents unauthorized dissemination or replication of this crucial information

Virtualization

allows creating multiple isolated environments on a single physical device

offers resource optimization, isolation, flexibility, and security

simulations

uses controlled environments to replicate security breaches, enabling IT professionals to practice responses.